Principles
- Differentiate when to use the two topologies for load balancing
- Understand how to configure load balancing
- Configure and understand service monitors
- Understand how to Add/Edit/Delete a server pool
- Understand how to Add/Edit/Delete an application profile
- Understand how to Add/Edit/Delete virtual servers
- Determine appropriate NSX Edge instance size based on load balancing requirements
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Installation Guide
https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf
- NSX Design Guide
Differentiate when to use the two topologies for load balancing
In-Line Load Balancing
- Also known as Transparent Mode
- Deployed in line with workload traffic – i.e. all workload traffic must pass through it regardless of whether it requires load balancing
- Default Gateway for workload VMs is the Load Balancer itself
- Incoming traffic to the VIP is translated to the server IP through Destination NAT
- Responses from the server to client are subject to a Source NAT
- With this method the Client IP is preserved – i.e. there no Source NAT on the incoming traffic to the VIP and so the workload server has full visibility of the client
Proxy Load Balancing
- Also known as one-arm mode
- Deployed alongside workload VMs (servers) on the same subnet
- Load Balancer performs both a Source NAT and Destination NAT for client traffic
- Server is not aware of the actual IP address of the client – can pose difficulties for SSL
- Reverse traffic must pass through the Load Balancer (as incoming traffic has SNAT applied)
- Load Balancer can insert original Client IP into HTTP packets through the “X-Forwarded-For” HTTP Header
Understand how to configure load balancing
Pre-requisites
- Load Balancing is configured on an NSX Edge
- The Edge firewall must be enabled for load balancing to work
- VIPs can be configured directly on Interfaces or as secondary IPs
Go to Edge -> Manage -> Interfaces and add Secondary IPs to the Interface hosting the server Virtual IPs (VIPs)
From the Load Balancer -> Global Configuration tab click Edit and Enable the Load Balancer
Order of configuration
- Configure Application Profiles
- Add a Service Monitor (optional).
- Sample monitors are provided out of the box for HTTP/S and TCP
- Add 1 or more Server Pools and apply and previously defined Service Monitors
- Add 1 or more members to the pool – set monitor for any applied Service Monitors
- Add Application Rules (Optional)
- Add 1 more application rules to be applied to a Virtual Server
- Rules follow HAProxy syntax: http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#7
- Add a Virtual Server
Configure and understand service monitors
Sample monitors are provided out of the box for HTTP/S and TCP
Understand how to Add/Edit/Delete a server pool
Algorithm = ROUND-ROBIN, IP-HASH, LEASTCONN, URI, HTTPHEADER, URL
Add 1 or more members to the pool – set monitor for any applied Service Monitors
Understand how to Add/Edit/Delete an application profile
Application Profile Types:
- TCP: TCP-based load balancing.
- UDP: UDP-based load balancing.
- HTTP: HTTP-based load balancing.
- SSL Passthrough: AppRules related to SSL attributes are allowed without requiring SSL termination on Load Balancer.
- HTTPS Offloading: HTTP-based load balancing; SSL is terminated on LB and HTTP is used between LB and pool.
- HTTPS End-To-End: HTTP-based load balancing; SSL is terminated on LB and HTTPS is used between LB and pool.
Understand how to Add/Edit/Delete virtual servers
-
- Select Application Profile
- IP Address (from secondary IPs configured earlier)
- Protocol
- Port
- Application Rules (optional)
Acceleration
- A Load Balancer has 2 engines: L4 (TCP) and L7 (HTTP/HTTPS)
- Acceleration is applied on L4 services only
- L4 is faster than L7 because it processes packets before the Edge Firewall, hence no “Allow” rule is required for traffic destined for an accelerated VIP
- L7 traffic is processed after the traffic goes through the Firewall and so an “Allow” rule must be configured for that service VIP
- The firewall should be enabled in either case for load balancing to work
Determine appropriate NSX Edge instance size based on load balancing requirements
Configuration Parameter | Max for Compact, Large and Quad Large Load Balancers | Max for X-Large Load Balancers |
VIPs | 64 | 1024 |
Pools | 64 | 1024 |
Servers per pool | 32 | 32 |
Health Checks | 320 | 3072 |
Application Rule Size (characters) | 4096 | 4096 |
Common CLI Commands
- Firewall must be enabled for LB to work
show firewall
- NAT requires Firewall and is used in LB
show nat
- Check LB is running
show service loadbalancer
- View LB Session Table
show service loadbalancer session
- View LB configuration
show configuration loadbalancer
- View Virtual Pool statistics
show configuration loadbalancer virtual [virtual-server-name]
- Show Server Pool object statistics
show configuration loadbalancer pool [pool-name]
- Show Service Monitor Status
show configuration loadbalancer monitor [monitor-name]
- Show Application Profiles
show configuration loadbalancer profile [profile-name]
Show Application Rules
show configuration loadbalancer rule [rule-name]